Security audit

本地研究资料查询

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent local research-search purpose, but it can implicitly query local archives and send retrieved content into an AI summarization path that is not clearly disclosed or scoped.

Review before installing. Use this only if you are comfortable letting the agent search local AlphaPai and knowledge_bases archives, write report/runtime files under ~/.openclaw/data/research-archive-query, and potentially pass retrieved snippets to the AlphaPai AI analysis path. Keep private libraries excluded unless you explicitly request --include-private, and avoid running package_skill.py with a custom --dest path outside a disposable build directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises shell execution and local file writing behavior in its usage examples, but the metadata shown in this file does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: users or hosting frameworks may authorize the skill based on incomplete capabilities, while it can still invoke scripts, access environment-derived paths, and write reports locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description says it is a query-only skill that defaults to excluding private sources, but the documented behavior includes generating AI summaries, writing artifacts to disk, and code-level support that may not actually enforce exclusion of private repositories like personal by default. This mismatch is dangerous because users may disclose sensitive local archive content under the assumption that private material is excluded and that the skill is read-only aside from querying.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented as a local archive query tool, but it forwards retrieved archive content into an AI analysis pipeline to synthesize a report. That expands data flow beyond search and can expose sensitive local content to a model or downstream service without clear user consent, especially dangerous in a research/archive context where documents may contain confidential material.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: This skill reaches into another skill's script directory and imports its AI-analysis module, creating hidden coupling and expanding effective behavior beyond archive retrieval. In security terms, this weakens review boundaries: changes in the imported skill can alter data handling, model behavior, or network usage of this skill without obvious visibility to users of the query feature.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script unconditionally deletes the user-supplied destination directory with shutil.rmtree(dest) if it already exists, without any confirmation prompt, path safety check, or restriction that the path stay within an expected build/output directory. If a user passes an unintended path, or if automation invokes the script with a malformed value, it can recursively erase arbitrary local files and directories.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Retrieved archive text is embedded into a prompt and sent to an AI analysis function without user-facing warning, consent, or apparent content filtering. In the context of querying local research archives, this is more dangerous because the data may include proprietary notes, personal information, or confidential material that users expect to remain local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal